Sign up for our weekly security newsletter

‘AV Protection 2011,’ Variant of FakeScanti Group of Trojans Detected

Researchers from GFI Software the security company state that fake anti-virus software, which is part of the FakeScanti group of malicious programs are presently growing, while aiming at harming unwitting people. Help Net Security reported this in news on November 29, 2011.

A particular variant of the FakeScanti malware called "AV Protection 2011" was recently identified and as per the GFI security researchers there's a fascinating feature about it. The malware characteristically, like PC worms and backdoors, alters HOSTS file of an infected system when run on it. Moreover, 'AV Protection 2011' takes end-users onto a harmful Internet Protocol based at Germany where one more FakeScanti variant called "AV Secure 2012" is harbored. The diversion of end-users by 'AV Protection 2011' happens when the same end-users browse the popular websites facebook.com, yahoo.com, bing.com, or google.com.

Furthermore, the GFI researchers also reveal that Web surfers can be infected with the 'AV Protection 2011' once they're taken onto SEO poisoned websites alternatively sites associated with web-links in spam mails. Visiting these websites, the surfers download the attack toolkit namely BlackHole, which contains the rogue anti-virus packaged into it.

Notably, the security company blogged that it identified 'AV Protection 2011' to be a Trojan named Trojan.Win32.FakeAV.IS (v).

Remarking about the above rogue AV's activity, Communications and Research Analyst Jovi Umawing of GFI Software stated that it wasn't unusual to have backdoors and worms hijack HOSTS file, however, fake AV applications doing the same was unusual. The hijacking of HOSTS files by phishers was also common for apparently diverting end-users onto phishing sites instead of the more authentic ones they intended to access, the analyst pointed out. Help Net Security reported this on November 29, 2011.

Eventually, it is advisable that end-users remain cautious while following e-mail links. For any recipient of such e-mails, if he did not contact the sender then he should delete the message without opening the link and without thinking about it again, Umawing suggests. It is also necessary to be careful while performing online searches as fake AV purveyors continue to employ SEO tactics for trapping victims, he concludes.